Who Really Owns Cloud & AI Security?

Jacob Boyden | 4th June 2026

The Dangerous Misunderstanding Behind Cloud and AI Security

Many organisations still believe cloud providers or AI vendors are fully responsible for protecting customer data, AI workflows, and compliance obligations. This misunderstanding creates major security gaps, compliance failures, and operational risk.

The reality is that cloud providers secure the infrastructure, but organisations remain responsible for securing their own data, identities, AI usage, configurations, and compliance obligations. AI has expanded the Shared Responsibility Model, introducing new risks like prompt injection, model misuse, and sensitive data exposure that customers must actively govern.

Why This Matters More Than Ever

AI adoption is accelerating faster than governance and security controls. At the same time, organisations are moving more sensitive workloads into cloud environments while wrongly assuming providers handle the security risk for them.

Some key numbers highlight the scale of the problem.

The average global data breach cost reached a record $4.88 million in 2024, according to IBM.

Gartner predicts that by 2028, 25% of enterprise GenAI applications will experience at least five security incidents per year, driven by immature AI security practices and new attack vectors.

Gartner also predicts the average Fortune 500 company will grow from fewer than 15 AI agents in 2025 to over 150,000 by 2028, creating massive governance and visibility challenges. Only 13% of organisations believe they currently have proper AI governance controls in place.

Worldwide public cloud spending was forecasted to hit $723.4 billion in 2025, meaning more organisations than ever are relying on cloud platforms while still misunderstanding where provider responsibility ends and customer responsibility begins.

IBM research found organisations using mature AI and security automation reduced breach costs by an average of $2.2 million, proving governance and security maturity directly impacts financial risk.

Gartner warns fragmented AI regulation will expand to cover 75% of the world’s economies by 2030, driving over $1 billion in AI compliance spending.

Understanding the Cloud Shared Responsibility Model

AWS states that security and compliance are a "shared responsibility" between AWS and the customer.

AWS secures the physical infrastructure, while customers remain responsible for:

• Identity and access management

• Data encryption

• Guest operating systems

• Firewall configuration

• Application security

Microsoft Azure states:

"For all cloud deployment types, you own your data and identities."

The message is clear.Cloud providers secure the cloud, but customers remain responsible for what they place inside it.

Why Compliance Accountability Still Belongs to Your Organisation

Under GDPR and most major compliance frameworks, the organisation controlling the data remains accountable, even when using cloud or AI vendors.

Microsoft’s GDPR guidance notes:

"The burden for personal data protection under the GDPR still rests primarily with controllers."

This means organisations remain responsible for:

• Data classification

• Retention policies

• Access control

• Incident response

• AI governance

• Third-party risk management

Moving to SaaS or AI platforms does not transfer legal accountability.

How AI Expands the Shared Responsibility Model

AI introduces entirely new responsibilities that did not exist in traditional cloud environments, including:

• Prompt injection protection

• Model governance

• Sensitive data leakage prevention

• AI output validation

• Bias monitoring

• Human oversight

• Training data governance

Microsoft’s AI shared responsibility guidance states customers remain accountable for:

• Protecting sensitive input data

• Managing prompt security

• Mitigating prompt injection risks

• Ensuring regulatory compliance

AWS Bedrock guidance similarly states customers remain responsible for securing applications, prompts, and deployed AI resources.

Why This Is Fundamentally a Governance Challenge

This is fundamentally a governance issue, not just a technical one.

The Shared Responsibility Model should be embedded into:

• Risk registers

• Vendor risk assessments

• AI governance frameworks

• Security policies

• Incident response plans

• Compliance audits

One of the most common governance failures is that many organisations document vendor controls but fail to define internal ownership for customer-side responsibilities.

Cloud providers protect the cloud.

Your organisation protects the data, identities, AI usage, and compliance obligations within it.

Final Thoughts

As cloud adoption and AI deployment continue to accelerate, organisations can no longer assume security accountability transfers to vendors. Understanding and operationalising the Shared Responsibility Model is critical for reducing risk, maintaining compliance, and governing AI effectively.

The organisations that succeed will be those that clearly define ownership, implement governance controls, and continuously monitor their responsibilities across cloud and AI environments.

If this sounds like a challenge your organisation is facing, book a call , and follow @VisibleGRC on LinkedIn for more insights on cloud security governance, AI governance, and GRC best practices.